Three Musketeers. Game Rules ● One player is the Musketeers ● The other is the Cardinal.
Business Continuity Risk Management IT Service Continuity · 2020-01-23 · Author: Business...
Transcript of Business Continuity Risk Management IT Service Continuity · 2020-01-23 · Author: Business...
Author:
Business Continuity Risk Management IT Service Continuity
The Three Musketeers
“All for one, one for all”
Athol Culpan, Isaacs George and Ray Botardo
Agenda
Introductions – Athol Culpan
Case Study Overview – Athol Culpan
Business Continuity Management (BCM) – Isaacs George
Risk Management – Ray Botardo
IT Service Continuity Management (ITSCM) – Athol Culpan
Challenges and Lessons Learned – Panel (Athol, Isaacs & Ray)
Conclusion – Questions and Answers
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Introductions Isaacs George – Business Continuity Manager – Datacom
• Public and Private sector experience including Consulting
• Business Continuity Institute (BCI Certified), PMP, ITIL
• Contact details: Mobile: +64274888789
Email: [email protected]
Ray Botardo – Process Team Manager – Datacom
• Public and Private sector experience including Consulting
• CISM, PMP, COBIT 5, ITIL, ISO 20000
• Contact details: Mobile: +64277039326
Email: [email protected]
Athol Culpan – IT Service Continuity Manager
• Public and Private sector experience including Consulting
• ITIL 3 Expert, Prince2 Practitioner, ISO 20000
• Contact details: Mobile: +64272677555
Email: [email protected]
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Case Study Introduction
Datacom needed to build an internal capability in the area of BCM
and ITSCM.
The benefits for doing this are as follows:
• Assisting Datacom customers with their BCM
requirements where asked to do so
• Expectation from our customers to meet our
contractual obligations in the case of a disaster
Datacom subscribe to the ITIL “Good Practice” guidelines
Strong investment by Datacom in BCM and Disaster Recovery
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Datacom – BCP Approach
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Datacom Systems Limited (DSL) – New Zealand BCP Directive
BCP Information Dependencies – ITSCM Planning
DSL WGTN
Common Risks
Common Actions
Unit Specific Actions
Unit Specific Risks
DSL AKL DSL
CHCH
BU 1 BU 2
BU 3
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
High Impact, Low Probability Events – earthquakes, tsunamis, volcanoes
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
BC – The Big Picture
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
The relationship between BC, DR, Risk, Security and IT Management
Risk Management
Information Security
Management
Disaster
Recovery (DR)
Business Continuity
Management
IT Management
What is Business Continuity?
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
What it’s isn’t – it’s not just Disaster Recovery (DR)!
A holistic approach to identify potential threats/risks to an
organisation and quantify the effects of those threats/risks if they
eventuate
Purpose is to build resilience in and protect sources of value in the
organisation
Resilience is the ability of an organisation to absorb, respond to
and recover from a disruption or unexpected event
To reiterate - BCM is holistic (applies to the whole organisation),
cross-functional and cross-enterprise
Process and Approach -
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Based on the Business Continuity Institute’s (BCI) Good Practice Guideline BCM Lifecycle
Terminology
Recovery Time Objective (RTO) - How long business process can
be without IT application before significant damage to finances or
reputation occurs or where required by legal or regulatory
requirements
Recovery Point Objective (RPO) - How much data the business
process can recreate or afford to loose
Maximum Tolerable Period of Disruption (MTPD) - The maximum
amount of time that the business can survive without the business
process in any form (manual or automated)
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Business Impact Analysis (BIA)
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Dependencies –
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
for each business function
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Risks • Possibility that the threat can lead to a disruption or
loss of service
• Can be specific to a business unit, or, common across several business units (e.g. fire, earthquake, theft, malware attack)
• Defined by:
– Severity (impact to the business)
– Occurrence (probability)
– Level of Control (practices, processes, technology)
• RPN (Risk Priority Number) = S x O x C
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Risk Analysis Cycle Risk
Scenario
Threat Category
Threat Identification
Risk Identification
Specific Unit or Multiple Groups?
Identify Current Control
Risk Rating (S,O,C)
Prioritize
(RPN ranking)
Risk Treatment
Risk Mitigation Actions
Review Risks
• Environment • Process • People • Technology
• Severity • Occurrence • Level of Control
RPN= S x O x C
• Avoid • Accept • Transfer • Mitigate
Risk Assessment
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
ITSCM Support overall Business Continuity Management (BCM) process
by ensuring that the required IT resources can be recovered within
business related agreed upon time frames
Provide pre-determined levels of service under exceptional
conditions
Common responsibilities & Risk management
Selection of options based on business requirements
Definition of roles and responsibilities
Alignment of IT recovery plans and BCM exercising (testing)
Resources include hardware, software, staff, and physical
environmental
The technical and operational aspects of your total Business
Continuity Plan
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
BCM and ITSCM
ITSCM must be aligned to the Business Continuity Lifecycle
ITSCM must be a part of the overall Business Continuity Plan and
not dealt with in isolation
ITSCM is the “technical component” of BCM
IT Focus
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Critical Business Process Recovery Metrics
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
How did ITSCM align with BCM
ITSCM follow a similar approach to BCM except from a technology
and IT systems perspective - ITSCM was able to leverage off the
BIA exercise in DSL (ITSCM also participated in these exercises)
The BIA helped identity what business processes were critical and
what technology and IT Systems are required to support it.
The RTO and RPO were determined by the business units (not IT)
within DSL themselves and in this way could be matched to what
was required in ITSCM Plans.
The risk identification and management helped with determining
risk mitigation and prevention from a technology perspective.
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
DR Planning &Testing DR Planning
ITSCM prepares for the worst case scenario
Not just how to recovery from a disaster but also how to return to normal
How to prevent/minimize the disaster from occurring in the first place
Investigates, develops and implements recovery options when a service
interruption reaches a pre-defined point
DR Exercises (Testing)
Ensure that your processes and procedures will work in the event of a
true disaster
Types - Walk-throughs, Full tests, Partial tests, Scenario tests
Involve IT and the business
Defined objects and critical success factors
Can’t test everything
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
IT Service Continuity Management
Yellowpages.mpg
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Challenges and Lessons Learnt Challenges:
Obtaining the required time from each business unit to explain the
purpose of Business Continuity and how this is of benefit to them and the
wider organisation. This is an additional task to their business as usual
activities
The time required to create the strategy and approach and roll this to all
business units takes considerable time. Usually much longer than planned
at the start!
Lessons Learnt:
Obtaining senior management buy-in and continued support is crucial to
ensure the success of the whole BC programme of work
Requires persistence and drive to push this programme through and show
benefits to business units of applying BC eg their concerns/risks can be
quantified and addressed by management
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Challenges and Lessons Learnt Contracts with suppliers can be worthless in a major disaster
Despite promises of rapid SLA’s
Despite penalty clauses that might apply should SLA’s not be met
Be Prepared: If Not:
Develop systems that enable your business to be self sufficient for at
least 48 hours (industry recommendation)
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Conclusion – Time for Q & A
Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014
Thank You